splunk-connect-for-syslog
splunk-connect-for-syslog copied to clipboard
splunk
Unable to onboard log source via "Simple Log path by port"
Hi,
I am trying to onboard syslogs from a source that is not listed in "known vendors" so I am using the "Simple Log path by port" as an interim as suggested
https://splunk.github.io/splunk-connect-for-syslog/main/sources/base/simple/
I have configured splunk_metadata.csv and env_file as documented and followed the guidance under "options". Below is for reference only but shows what I variables I have used.
splunk_metadata.csv first_firewall,index,netfw first_firewall,sourcetype,first:firewall
env_file SC4S_DEST_SPLUNK_HEC_DEFAULT_URL=https://splunk_cloud_url>:443 SC4S_DEST_SPLUNK_HEC_DEFAULT_TLS_VERIFY=no SC4S_DEST_SPLUNK_HEC_DEFAULT_TOKEN=TOKEN_STRING SC4S_LISTEN_SIMPLE_VENDOR_PRODUCT_TCP_PORT=1024 SC4S_DEST_SIMPLE_VENDOR_PRODUCT_HEC=yes
- The token has access to the index it needs to drop the events in (I added "all available indexes" as suggested but nothing lands n even lastchanceindex)
- port 1024/tcp is listening on the sc4s server
- I can see via tcpdump the logs are hitting the server on 1024/tcp
- I can echo a test message into splunk cloud on port 1024 as suggested on the troubleshooting page (echo '<raw_sample>' |nc
)
Below is an example of the logs;
1663320702|710759|1|4|127.0.0.1|127.0.0.1|tcp|41538|53|32|37912|0010000|0|ntp.ubuntu.com|28|1
1663320702|711647|1|4|127.0.0.1|127.0.0.1|tcp|40720|53|32|38945|0010000|0|ntp.ubuntu.com|1|1
1663320702|711660|1|4|127.0.0.1|127.0.0.1|tcp|40720|53|32|46880|0010000|0|ntp.ubuntu.com|28|1
- side note; I have the "known vendor" trend set up and working already. The logs land in Splunk Cloud and the HEC TEST EVENTS land in the correct index
TCP Retransmission - Occurs when the sender retransmits a packet after the expiration of the acknowledgement. There is a firewall/connectivity issue it looks like to me
Possible , Please dont choose any index while creating token , make it default ( with no index ).
Please feel free to reach out to me in external userslack channel if you need more help on this.
if I leave it default, no indexes are added to "selected indexes". If I add move any/all over from "available indexes", default changes to the first alphabetical one.
Where do I access the external slack channel?
While creating token just dont choose anything.PFB the link https://docs.splunk.com/Documentation/Community/1.0/community/Chat
Hi,
Your default token suggestion worked but only in part. The existing "known vendor" trend continues to work and the events land in the correct index. The simple log source does not and no events land in the "first_firewall" index we expect, or even lastchanceindex (defaults replaced in live config replaced as advised in the docs)
splunk_metadata.csv first_firewall,index,netfw first_firewall,sourcetype,first:firewall
env_file SC4S_DEST_SPLUNK_HEC_DEFAULT_URL=https://splunk_cloud_url>:443 SC4S_DEST_SPLUNK_HEC_DEFAULT_TLS_VERIFY=no SC4S_DEST_SPLUNK_HEC_DEFAULT_TOKEN=TOKEN_STRING SC4S_LISTEN_SIMPLE_VENDOR_PRODUCT_TCP_PORT=1024 SC4S_DEST_SIMPLE_VENDOR_PRODUCT_HEC=yes
Can you capture a pcap and DM me in external slack channel or anonymize the message inclusing headers and attach here, i will check it asap.
tcp_1024_ANON.zip see rows 10 onwards
I completed the Chat groups google form but it is awaiting approval
I can see lots of SYN packets in the pcap but no SYN-ACK, ACK packets as part of the three-way handshake between source and destination.
Should these logs still be ingested by Splunk via the "Simple Log by port" config I have set? They are coming over on port 1024/tcp
Based on what you have in splunk_metadata.csv, wouldn't you want this in your env_file instead?
SC4S_LISTEN_SIMPLE_FIRST_FIREWALL_TCP_PORT=1024
I'm closing this issue because it's not possible to reproduce the context needed to solve it. However, feel free to open a new one if you have a feature request or bug report. For support please submit a support ticket to Splunk
